Access control vulnerability detection method and system based on state deviation analysis

Abstract

The invention discloses an access control vulnerability detection method and system based on state deviation analysis, and the method comprises the steps: taking a source code of a Web application program as an input, extracting a site map and expected behavior logic contained in the code through static analysis, and then taking the generated site map as the guide of dynamic analysis, inputting login credentials of multiple roles and multiple users to obtain HTTP requests and responses in different login states; a finite-state machine (FSM) is used for modeling a Web application program, discovery of the access control vulnerabilities is formalized into difference comparison between an expected FSM behavior model and an actual FSM behavior model, the access control vulnerabilities are recognized, and a vulnerability report is generated. According to the method, complex logic which is difficult to discover through static analysis can be detected, the detection efficiency can be greatly improved through directive function testing, and full-path coverage can be achieved.

Description

technical field [0001] The invention belongs to the technical field of network security, and in particular relates to an access control loophole detection method and system based on state deviation analysis. Background technique [0002] With the economic growth of the society, the Internet continues to develop rapidly and penetrates into every field of social life, becoming an indispensable and important element of modern society. As the most important application form of the Internet, Web technology has been widely popularized and used in important fields such as science, education, transportation, and finance. Relying on the development of the Internet, Web technology has penetrated into all aspects of people's daily life. The endless web applications such as shopping websites, online banks, and social platforms are all demonstrating the pivotal role of Web technology in people's lives. [0003] While bringing convenience to people's daily life, the number of attacks aga...

AI Technical Summary

Problems solved by technology

[0006] The present invention aims at existing methods for identifying access control loopholes: it is limited by the coarse-grained access control model, the complex relationship between data entities, and the source code language and specific platform requirements. Modeling of complex data relationships spanning multiple program files, and determining the resulting access control issues, a method and system for access control vulnerability detection based on state deviation analysis is proposed, by transforming the access control vulnerability detection problem into The discrepancy between the expected behavior logic of the application extracted from the detection code and the actual behavior logic of the real access greatly reduces the limitations of the coarse-grained model and the complexity of the data relationship on vulnerability detection. Compared with the traditional black-box method, the combination of White box technology greatly improves detection efficiency

Images